Network Security, Patch/Configuration Management, Vulnerability Management

NVIDIA update fixes three vulnerabilities in GPU Display Driver

Graphics chip manufacturer NVIDIA last week released a security software update for its GPU Display Driver, fixing three vulnerabilities that, if left untreated, could result in denial of service, escalation of privileges, code execution or information disclosure.

The most serious of the three bugs is CVE-2019-5675, a high-severity flaw in the kernel mode layer handler for the "DxgkDdiEscape" function. According to a May 9 NVIDIA security bulletin, "The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes, which may lead to denial of service, escalation of privileges, or information disclosure."

A second bug, CVE-2019-5676, exposes NVIDIA software products to potential DLL preloading attacks dur to a lack of path or signature validation when loading Windows system DLLs. Such an attack can result in an escalation of privileges through code execution. The flaw was reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs, Łukasz 'zaeek', Yasin Soliman, Marius Mihai and Stefan Kanthak.

NVIDIA also patched a medium-level vulnerability in the kernel model layer handler for DeviceIoControl, "where the software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer, which may lead to denial of service," the security bulletin states.

Products affected by one of more of these vulnerabilities include the following Windows-based products:

  • GeForce... all R430 versions prior to 430.64 (patch currently available)
  • Quadro, NVS... all R430 versions prior to 430.64, all R418 versions prior to 425.51 (patches currently available), all R400 versions (patch available starting this week) and all R390 versions (patch available this week of May 20).
  • Tesla... all R418 versions prior to 425.25 (patch currently available) and all R400 versions (patch available starting this week)

In addition to NVIDIA's newly updated software versions, Windows driver versions 430.23, 425.25 and 422.02 provided by computer hardware vendors also include the security update, the company notes in its bulletin.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.